CyberWire Daily - Cyberespionage campaign hits Colombia. New malware found in the SolarWinds incident. Mimecast certificates compromised. Ubiquiti tells users to reset passwords. Two wins for the good guys.
Episode Date: January 12, 2021A cyberespionage campaign, so far not attributed to any threat actor, continues to prospect government and industry targets in Colombia. A new bit of malware is found in the SolarWinds backdoor compro...mise. Mimecast certificates are compromised in another apparent software supply chain incident. Ubiquiti tells users to reset their passwords. A brief Capitol Hill riot update. Bidefender releases a free DarkSide ransomware decryptor. Ben Yelin revisits racial bias in facial recognition software. Our guest is Jessi Marcoff from Privitar on trend toward Chief People Officers. And Europol announces the takedown of the DarkMarket. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/7 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A cyber espionage campaign so far not attributed to any threat actor
continues to prospect government and industry targets in Colombia.
A new bit of malware is found in the SolarWinds backdoor compromise.
Mimecast certificates are compromised in another apparent software supply chain incident.
Ubiquity tells users to reset their passwords.
A brief Capitol Hill riot update.
Bitdefender releases a free dark side ransomware decryptor.
Ben Yellen revisits racial bias in facial recognition software.
Our guest is Jesse Markoff from Privatar on the trend toward chief people officers.
And Europol announces the takedown of the dark market.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 12th, 2021. Researchers at security firm ESET report a targeted malware campaign, Operation Spallax,
which they say is active against targets in Colombia,
which they evaluate as having some form of espionage as its goal.
Both government organizations and private companies figure among the targets. The companies being
hit have, for the most part, been in the metallurgical and energy sectors. The campaign
uses rats, remote-access Trojans, and the threat actor uses what ESET characterizes as a
large network infrastructure for command and control. The researchers count at least 24
different IP addresses that were in use during the second half of 2020,
most of which probably represent compromised devices that function as proxies for command and control servers.
The threat actor also uses dynamic DNS services,
and this, in combination with the range of IP addresses, renders their operational infrastructure a moving target.
ESET says,
quote, we have seen at least 70 domain names active in this time frame and they register new ones on a regular basis, end quote. While the researchers see some possible connections
with campaigns against Colombia observed by Keyanjin in 2018 and Trend Micro in 2019,
ESET has insufficient evidence to offer even a tentative attribution.
They can say that the targeting is confined to Colombia,
that the threat actors use a complex and shifting infrastructure,
and that whoever's behind Operation Spallox gets their malware from a third party.
Security firm CrowdStrike late yesterday announced
the discovery of a malware implant, SunSpot, associated with the Sunburst backdoor that's
afflicted SolarWinds Orion platform. They see SunSpot as malware that's been used since September
2019 to insert the Sunburst backdoor into Orion software builds.
Sunspot monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code,
and in doing so takes care to keep Orion builds from failing,
lest the compromise betray itself to developers.
CrowdStrike hasn't reached any firm conclusions about attribution.
They're tracking the incursions as the Stellar Particle activity cluster.
CrowdStrike says in their blog post,
The design of Sunspot suggests Stellar Particle developers invested a lot of effort
to ensure the code was properly inserted and remained undetected.
They added that the threat actors prioritized operational security
to avoid revealing their presence in the build environment to SolarWinds developers.
End quote.
The details CrowdStrike provides in their account of Sunspot afford an interesting look
at how a software supply chain attack is staged and maintained.
So who's responsible for Soloragate? The security
firms who've been looking into it have been commendably cautious about the attribution.
The U.S. government, however, part of whose business is, after all, to figure out who's
out there doing the spying, has of course concluded that it's a foreign intelligence
service, likely Russian in origin,
but it hasn't so far pinned responsibility on any specific group or organization.
Media reports have so far focused on either the SVR or the FSB, both successor agencies to the KGB,
and associated with units who've received the cute huggy bear names of Cozy Bear or, more menacingly, Venomous Bear.
In truth, the quiet low profile of the operation doesn't seem to fit the GRU's noisy and assertive style,
so no one has really seen Fancy Bear's paw prints in the operation.
ZDNet has a quick scorecard of cautious and preliminary attribution by security companies.
Microsoft and FireEye have
called the actor UNC-2452, Velocity calls it Dark Halo, and CrowdStrike, as we mentioned,
is tracking it as Stellar Particle. Kaspersky said this week it's discerned code similarities
between the backdoor threat actors installed in SolarWinds and another backdoor,
Kazur, which had been used by the threat group Turla, also known as Venomous Bear and a lot of
other names. But Kaspersky is also cautious and points out that imitation, false flags,
common suppliers, and former employees now working for another outfit are alternative
explanations for the code overlap.
Whoever was behind the operation, it remains a very large and very damaging one.
Mimecast warns that a sophisticated threat actor has compromised a Mimecast-issued certificate
used to authenticate some of its products to Microsoft 365 Exchange Web Services.
some of its products to Microsoft 365 Exchange Web Services.
The products involved include Mimecast Sync & Recover,
Continuity Monitor, and IEP.
The incident affects about 10% of Mimecast's customers who've been asked to immediately delete the existing connection
within their M365 tenant
and re-establish a new certificate-based connection
using the new certificate Mimecast has
made available. The risk of compromise is that the unidentified threat actor could intercept
email traffic. It's another form of software supply chain compromise. Reuters said late this
morning that three distinct security researchers speaking on condition of anonymity told the wire
service that they believed it likely that the same actor behind Soloragate was responsible for the Mimecast incident.
IoT and Wi-Fi vendor Ubiquiti yesterday disclosed a data breach, saying that its IT systems were accessed through a third-party cloud provider.
Ubiquiti recommends that customers change their passwords and enable
two-factor authentication. The mob attack on the U.S. Capitol last Wednesday remains under
investigation as investigators sort out responsibilities and identify rioters. A
quasi-vigilante scraping and archiving of parlor data by private researchers has preserved much of
that platform's traffic
This is being widely reported as a
Hack, but that seems incorrect
Apparently the data collected
Were all publicly posted and available
The story is developing
And we'll have more as it emerges
In the meantime
We close with two bits of good news
First, Bravo Bitdefender
Which has released a free decryptor
for Darkside ransomware,
the work of a phony Robin Hood gang
that claimed from a very high horse
to donate part of its very large criminal take
to various good causes.
Good riddance to them,
and again, bravo Bitdefender.
And second, good riddance to Dark Market.
Europol announced this morning that an international law enforcement operation has taken down dark market,
generally held to have been the Internet's largest dark web contraband market.
German authorities took the lead in the investigation,
with partners from Europol, Australia, Denmark, Moldova, Ukraine, the United Kingdom, and the USA.
Dark markets wares consisted mostly of drugs, counterfeit currency, pay card information, and malware.
Bravo to Europol and everyone else who cooperated in the takedown.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
What's in a name?
Or specifically, what's in a title? And does it matter if we refer to someone as a janitor versus a sanitation engineer?
A solutions architect versus a salesperson?
How about titling someone the head of HR versus chief people officer?
Jessie Markoff is chief people officer at data privacy firm Privatar.
And she makes the case that, yep, in this case, it is a distinction with a difference.
So HR is definitely an interesting topic because I think over the last really 45 years, but really the last 10 years, the space has changed quite a bit.
45 years, but really the last 10 years, the space has changed quite a bit. And you hear a lot of tech organizations calling it the people function or people operations versus human resources or HR.
And I think that's rapidly increasing because of folks that are coming into the workforce,
especially in the tech space. HR is typically known as essentially protectors of the top,
or they act as a sifter or police sort of function. And I think that that's changing quite a bit.
It's really focused more on engagement and how do you become the bridge between the company and
employees, both from a communication perspective and just how do you enable them to do their job
better and set clear goals around that. And so I think because of that shift in mindset, there's been more of a need for this role at the top.
And really the value that this group brings to an organization, I think, is becoming more recognized, which is fantastic.
Yeah, I'm also intrigued by the choice of wording here to call the title chief people officer rather than chief of human resources.
Is that a deliberate signaling of a shift in the way that this position interacts with folks throughout the organization? The idea is the verbiage is changing
because we're not just looking at our humans,
our people as resources from a cost perspective.
I think we very much are looking at our people
as our biggest asset.
And I think that you're seeing that
in some of these titles.
I mean, there's all kinds of really exciting
and fun titles in this space
that are specific to engagement tactics, which at the end of the day, again, if people are
sticking around for a few years, how do you get them to be at their best? So yeah, there's
definitely a shift in just even what we're calling this space. And how do you make the case to organizations who may not
put their HR folks at this level? What are the key benefits that you see for them to
elevate this position this way? Well, I think it's really important to recognize, again, that
when you think about your largest assets within the organization, it's your people.
And I think collecting that information and data, I mean, at the the organization, it's your people. And I think
collecting that information and data, I mean, at the same time, we're using people data
all the time to make decisions. And so I think if on one hand, if you can show the benefits of
retaining really good talent and the actual business outcomes that are associated with that,
it's really about showing the value.
And I think that that's really important that it goes beyond just what are we providing to
employees from an engagement perspective, but how are we enabling people? How are we actually
getting the most out of them and setting really clear expectations and really getting them jazzed
to be a part of the organization? So I think if you can show really clear time to value, essentially, like you would a customer and a product, I think if you can kind
of look at it through that lens, it's a no-brainer. That's Jesse Markoff from Privatar.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Ben Yellen. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
You know, on one of our recent Caveat episodes,
you and I were talking about facial recognition software and the ongoing challenges there.
You had highlighted an op-ed from the Washington Post
that was pointing out some of the limitations,
how several people had been unjustly accused
based on inaccurate facial recognition software
and how there is undoubtedly a racial bias issue
that's going on here.
Yes, yeah.
So we've had a few several high-profile incidents
in the past year or so
where facial recognition has falsely identified individuals
who have been arrested and prosecuted.
And all these individuals are Black men.
And so it's clear we have a pretty big institutional problem here
where whatever is happening with facial recognition and artificial intelligence,
it's misidentifying Black men at a relatively high proportion.
And this is a policy problem that we're going to have to fix at all levels of government,
starting with the technologists who are creating these algorithms,
but then the local police departments that are using them.
So it's becoming a serious problem.
I think the Washington Post op-ed was wise in saying,
we need to hit the pause button on the use of this technology
until we figure out exactly what's going on here.
Well, when I saw you sharing that story, it reminded me of another study that I'd seen come
by. This is from last year in 2020. It was a study done by Georgia Tech, and it was about
basically self-driving cars, these automated vehicles that do not do as good a job detecting pedestrians with
darker skin as they do with pedestrians with lighter skin.
The study from Georgia Tech found that consistently these systems were between 4% and 10% less
accurate when they encountered images of human figures with darker skin shades.
images of human figures with darker skin shades.
So, you know, again, not to sound flippant,
but as we said over on Caveat,
not only are you more likely to be unjustly charged based on facial recognition,
you might get run over by a car.
Yeah, I mean, another thing we talked about on Caveat
is we have, you know, a long history in this country
of institutional racism.
And you'd think the tools of technology might be used to cut against, you know, some of these
historical biases. And now we have two instances here where technology is actually making things
worse from a racial equity standpoint. And, you know, this story or this study from Georgia Tech
is, I think, important because of the tangible impact.
If you have technology that's 4% to 10% less likely to identify people with darker skin pigmentation,
when we're talking about driverless cars, that means cars are going to be more likely to hit those types of pedestrians.
That's the consequence that's going to happen here.
I think some of this is clearly human error.
The training data set for this type of technology had used roughly 3.5 times more examples of white individuals compared to people with darker skin pigmentation.
So, you know, it's not exactly surprising that these driverless cars are better at avoiding, you know, the type of faces that they've spent more time learning about, so to speak.
And, you know, this is a policy problem and an institutional problem that we have to fix. people with darker skin pigmentation might be a minority, but you have a large enough subsample
that you can put together a robust data set
and make sure that these types of discrepancies don't exist.
I'm no expert when it comes to how you train an AI,
so I'm speaking out of turn here,
but I could imagine someone coming at this and saying,
looking at the racial breakdown of a community and saying, okay, we're 50% white, we're 30%
African-American, we're 15% Asian, whatever, however those numbers add up, whatever the
reality is, and say, oh, I'm going to use those percentages on my training data.
And at first blush, that would seem to be a sensible thing to do, but it's not because
what you end up with is, like in this case, you end up with a system that's a safety system
that's not as good at protecting your less represented groups of people.
Right.
And I think now that we know that these artificial intelligence systems
have these biases,
we have no excuses.
Orchestrating machine learning,
we have no excuses to not take racial equity
into consideration anymore
because we have this knowledge now.
We know that this is a problem that exists.
So we can no longer ignore it.
Yeah, yeah.
All right, well, it. Yeah, yeah. All right.
Well, it's an interesting study.
Again, it was from Georgia Tech.
Ben Yellen, thanks for joining us.
Thank you so much. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It will save you time and keep
you informed. Remember the times of your life. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Haru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Harold Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.